Merge over book changes into 3_0 CVS

(This used to be commit d8fe4a81fb0d4972b2331b3d5fc4890244b44c33)

1 files changed, 41 insertions, 34 deletions

diff --git a/docs/docbook/projdoc/securing-samba.xml b/docs/docbook/projdoc/securing-samba.xml
index bed4e4ee56..d59b0f381e 100644
--- a/docs/docbook/projdoc/securing-samba.xml
+++ b/docs/docbook/projdoc/securing-samba.xml
@@ -49,8 +49,8 @@ Samba may be secured from connections that originate from outside the local netw
 done using <emphasis>host based protection</emphasis> (using samba's implementation of a technology
 known as "tcpwrappers", or it may be done be using <emphasis>interface based exclusion</emphasis>
 so that &smbd; will bind only to specifically permitted interfaces. It is also
-possible to set specific share or resource based exclusions, eg: on the <parameter>IPC$</parameter>
-auto-share. The <parameter>IPC$</parameter> share is used for browsing purposes as well as to establish
+possible to set specific share or resource based exclusions, eg: on the <smbconfsection>[IPC$]</smbconfsection>
+auto-share. The <smbconfsection>[IPC$]</smbconfsection> share is used for browsing purposes as well as to establish
 TCP/IP connections.
 </para>
 
@@ -85,16 +85,16 @@ before someone will find yet another vulnerability.
 	</para>
 
 	<para>
-	One of the simplest fixes in this case is to use the <parameter>hosts allow</parameter> and
-	<parameter>hosts deny</parameter> options in the Samba &smb.conf; configuration file to only
+	One of the simplest fixes in this case is to use the <smbconfoption><name>hosts allow</name></smbconfoption> and
+	<smbconfoption><name>hosts deny</name></smbconfoption> options in the Samba &smb.conf; configuration file to only
 	allow access to your server from a specific range of hosts. An example
 	might be:
 	</para>
 
-	<para><programlisting>
-		hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
-		hosts deny = 0.0.0.0/0
-	</programlisting></para>
+	<para><smbconfblock>
+<smbconfoption><name>hosts allow</name><value>127.0.0.1 192.168.2.0/24 192.168.3.0/24</value></smbconfoption>
+<smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
+	</smbconfblock></para>
 
 	<para>
 	The above will only allow SMB connections from 'localhost' (your own
@@ -111,12 +111,12 @@ before someone will find yet another vulnerability.
 
 	<para>
 	If you want to restrict access to your server to valid users only then the following
-	method may be of use. In the &smb.conf; <parameter>[globals]</parameter> section put:
+	method may be of use. In the &smb.conf; <smbconfsection>[global]</smbconfsection> section put:
 	</para>
 
-	<para><programlisting>
-		valid users = @smbusers, jacko
-	</programlisting></para>
+	<para><smbconfblock>
+<smbconfoption><name>valid users</name><value>@smbusers, jacko</value></smbconfoption>
+	</smbconfblock></para>
 
 	<para>
 	What this does is, it restricts all server access to either the user <emphasis>jacko</emphasis>
@@ -140,10 +140,10 @@ before someone will find yet another vulnerability.
 	You can change this behaviour using options like the following:
 	</para>
 
-	<para><programlisting>
-		interfaces = eth* lo
-		bind interfaces only = yes
-	</programlisting></para>
+	<para><smbconfblock>
+<smbconfoption><name>interfaces</name><value>eth* lo</value></smbconfoption>
+<smbconfoption><name>bind interfaces only</name><value>yes</value></smbconfoption>
+	</smbconfblock></para>
 
 	<para>
 	This tells Samba to only listen for connections on interfaces with a
@@ -209,11 +209,11 @@ before someone will find yet another vulnerability.
 	To do that you could use:
 	</para>
 
-	<para><programlisting>
-[ipc$]
-	hosts allow = 192.168.115.0/24 127.0.0.1
-	hosts deny = 0.0.0.0/0
-	</programlisting></para>
+	<para><smbconfblock>
+<smbconfsection>[ipc$]</smbconfsection>
+<smbconfoption><name>hosts allow</name><value>192.168.115.0/24 127.0.0.1</value></smbconfoption>
+<smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
+	</smbconfblock></para>
 
 	<para>
 	this would tell Samba that IPC$ connections are not allowed from
@@ -245,23 +245,30 @@ before someone will find yet another vulnerability.
 	To configure NTLMv2 authentication the following registry keys are worth knowing about:
 	</para>
 
-	<!-- FIXME -->
 	<para>
-	<screen>
+		<screen>
 		[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
 		"lmcompatibilitylevel"=dword:00000003
+		</screen>
+	</para>
 
+	<para>
 		0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication,
 		use NTLMv2 session security if the server supports it. Domain
 		controllers accept LM, NTLM and NTLMv2 authentication.
+	</para>
 
+	<para>
+		<screen>
 		[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
 		"NtlmMinClientSec"=dword:00080000
+		</screen>
+	</para>
 
+	<para>
 		0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
 		NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
 		session security is not negotiated.
-	</screen>
 	</para>
 	</sect2>
 </sect1>
@@ -270,10 +277,10 @@ before someone will find yet another vulnerability.
 <title>Upgrading Samba</title>
 
 <para>
-Please check regularly on <ulink url="http://www.samba.org/">http://www.samba.org/</ulink> for updates and
+Please check regularly on <ulink noescape="1" url="http://www.samba.org/">http://www.samba.org/</ulink> for updates and
 important announcements.  Occasionally security releases are made and 
 it is highly recommended to upgrade Samba when a security vulnerability
-is discovered.
+is discovered. Check with your OS vendor for OS specific upgrades.
 </para>
 
 </sect1>
@@ -346,21 +353,21 @@ out to be a security problem request are totally convinced that the problem is w
 
 	<para>
 	Samba does allow the setup you require when you have set the
-	<parameter>only user = yes</parameter> option on the share, is that you have not set the
+	<smbconfoption><name>only user</name><value>yes</value></smbconfoption> option on the share, is that you have not set the
 	valid users list for the share.
 	</para>
 
 	<para>
 	Note that only user works in conjunction with the users= list,
 	so to get the behavior you require, add the line :
-	<programlisting>
-	users = %S
-	</programlisting>
+	<smbconfblock>
+<smbconfoption><name>users</name><value>%S</value></smbconfoption>
+</smbconfblock>
 	this is equivalent to:
-	<programlisting>
-	valid users = %S
-	</programlisting>
-	to the definition of the <parameter>[homes]</parameter> share, as recommended in
+	<smbconfblock>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+	</smbconfblock>
+	to the definition of the <smbconfsection>[homes]</smbconfsection> share, as recommended in
 	the &smb.conf; man page.
 	</para>
 	</sect2>